IN THE CLAIMS 

1 . (Currently amended) Apparatus for the secure installation and use of an 
information system comprising: 

having a plurality of nodes, where said plurality of nodes includes at least 
one information appliance and at least one security console, comprising: 

at least one data-carrying object containing security-related data; and 

at le a st on e a plurality of object receptacles that comprises a portion of at 
teasi-one or more of said nodes, two or more of said object receptacles 
being connected to said security console, a said data-carrying object 
being inserted into a selected one of said two or more object receptacles 
that reads for r e ad i ng -out the security-related data x for i nd i cat i ng to th e 
i nformation syst e m wherein a desired security configuration of said 
information system is based on said security-related data and said 
selected receptacle . 

2. (Original) Apparatus as in claim 1, wherein said data-carrying object 
stores the security-related data in a form that can be read-out by one of an 
electrical sensor, an optical sensor, or a magnetic sensor. 

3. (Currently amended) Apparatus as in claim 1, wherein said 
data-carrying object remains inserted in said selected receptacle for as long as 
the security configuration is desired to be in effect. 

4. (Currently amended) Apparatus as in claim 1, wherein said 
data-carrying object is temporarily made readable by said selected receptacle in 
order to initiate said security configuration. 
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5. (Currently amended) Apparatus as in claim 1, wherein afv -said 
information appliance has associated therewith at l o ast on o corr e sponding the 
security-related data of said data-carrying object for i ns e rt i ng into sa i d 
r e c e ptacl e, and wherein sa i d r e c e ptac le h a s an output couplod to s ai d s e curity 
consol e i n an i nformation syst e m wher e the information appliance is intended to 
be used for indicating that the information appliance is one of a trusted 
information appliance or an untrusted information appliance. 

6. (Currently amended) Apparatus as in claim 1, wherein an- said 
information appliance is given access to information system resources, including 
information, by inserting a n additional data-carrying object associated with said 
security console into sa*4- at least one receptacle that has , sa i d rocoptacl e having 
an output that is coupled to said information appliance. 

7. (Currently amended) Apparatus as in claim 1, wherein each of said 
information appliance and said security console have associated therewith at 
l e ast on e first and second corresponding data-carrying object s, respectively , 
wherein said selected receptacle comprises a first receptacle x has an output 
coup le d to said s e cur i ty consol e i n an i nformation syst e m wherein the information 
appliance is intended to be used for indicating, from security-related data 
contained on said first data-carrying object associated with said information 
appliance, that the information appliance is one that is authorized to fulfil and 
originate requests for information system resources, and wherein a second one 
of said receptacles has an output coupled to said information appliance for 
indicating, from security-related data contained on said second data-carrying 
object associated with said security console, that said security console is 
authorized to fulfil and originate requests for information appliance resources, 
including information. 

8. (Currently amended) Apparatus as in claim 1, wherein said data 
carrying object comprises a first one of first and second data-carrying objects that 
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are obtained as a pair, wherein said selected receptacle comprises a first 
receptacle,, has an output coupl e d to sa i d s e cur i ty conso l e i n an i nformat i on 
syst e m wherein the information appliance is intended to be used for indicating, 
from security-related data contained on a- said first on e of sa i d pa i r of data- 
carrying objects, that the information appliance is one that is authorized to fulfil 
and originate requests for information system resources, and wherein a second 
one of said receptacles has an output coupled to said information appliance for 
indicating, from security-related data contained on a said second on e of sa i d pair 
of-data-carrying objects, that said security console is authorized to fulfil and 
originate requests for information appliance resources, including information. 

9. (Currently amended) Apparatus as in claim 1, wherein said selected 
receptacle comprises a first th e r e ar e a plura li ty of sa i d receptacles, and wherein 
an insertion of a-the data-carrying object into a- said first receptacle indicates 
different security-related information than inserting the data-carrying object into a 
second one of said two or more receptacles. 

10. (Currently amended) Apparatus as in claim 1, wherein said 
data-carrying objects is one of ar e obta i n e d a s a pai r of data-carrying objects , 
and wherein the data-carrying objects in any given pair are the same shape, and 
no two data-carrying objects not in the same pair are the same shape. 

1 1 . (Currently amended) Apparatus as in claim 1 , wherein said 
data-carrying objects is one of ar e obta i n e d as a pair of data-carrying objects , 
and wherein the data-carrying objects in any given pair are imprinted with a same 
visible identification information, and no two data-carrying objects not in the same 
pair are imprinted with the same visible identification information. 

12. (Currently amended) Apparatus as in claim 1, wherein said 
data-carrying objects is one of a r e obt a in e d a s a pai r of data-carrying objects , 
and wherein the data-carrying objects in any given pair are fashioned so as to 
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mechanically join together, and no two data-carrying objects not in the same pair 
will not or are unlikely to mechanically join together. 

13. (Currently amended) Apparatus as in claim 1, wherein said 
data-carrying objects is one of a a re obt aine d in groups of at least three data- 
carrying objects , and where access to a resource of said information appliance , 
including information, is obtained by providing one subset of data-carrying 
objects from a -said group to a receptacle associated with a requestor of the 
resource, and a disjoint set of data-carrying objects from th e sam e said group is 
provided to the receptacles of the security console. 

14. (Currently amended) Apparatus as in claim 13, wherein identifications 
of all individual data-carrying objects in the group can be ascertained by viewing 
the security console, even if some subset of the data-carrying objects are 
provided to a- said receptacle associated with a requestor of the resource. 

15. (Currently amended) Apparatus as in claim 13, wherein a utilization of 
different disjoint subsets of the data-carrying objects in a- said group indicates 
different levels of trust to be granted to the requestor with respect to the 
resource. 

16. (Currently amended) Apparatus as in claim 13, wherein a utilization of 
different disjoint subsets of the data-carrying objects in a- said group indicates 
different levels of authorization to be granted to the requestor with respect to the 
resource. 

17. (Currently amended) Apparatus as in claim 13, wherein data-carrying 
objects in a part i cu l ar said group mechanically join together to form an 
assemblage, where the assemblage is adapted to be attached to a device 
through a single connection. 
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18. (Currently amended) Apparatus as in claim 1 , wherein said information 
appliance is one of a group of information appliances, wherein i n which a 
newly-obtained information appliance is added to a said group of authoriz e d 
i nformat i on appl i anc e s on behalf of a principal, by providing a n additional 
data-carrying object representing the principal to a receptacle of the newly 
obtained information appliance. 

19. (Original) Apparatus as in claim 18, wherein said data-carrying object 
representing the principal contains data which includes at least one secret known 
only to the principal. 

20. (Original) Apparatus as in claim 19, wherein the secret known only to 
the principal comprises the private half of a public-private key pair associated 
with an asymmetric cryptosystem. 

21 . (Currently amended) Apparatus as in claim 1 , wherein said information 
appliance is authorized on behalf of a certain principal, wherein said i n which a 
certain principal, and said at loast one information appliance authoriz e d to act on 
bohalf of tho princ i pa l , is granted a certain level of access to a certain resourcejpf 
said information appliance by providing, to a one of said receptacles associated 
with a* said information appliance representing the resource, a n additional 
data-carrying object representing the principal. 

22. (Currently amended) Apparatus as in claim 21 , wherein data contained 
in the additional data-carrying object representing the principal comprises the 
public half of a public-private key pair associated with an asymmetric 
cryptosystem. 

23. (Currently amended) Apparatus as in claim 22, in which the additional 
data-carrying object representing the principal comprises an image of the 
principal. 
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24. (Currently amended) Apparatus as in claim 22, in which the additional 
data-carrying object representing the principal comprises a computer-readable 
data portion and an image of the principal. 

25. (Original) Apparatus as in claim 24, further comprising a holder for 
holding the computer-readable data portion such that both the 
computer-readable data portion and the image are accessible. 

26. (Currently amended) A method for the secure installation and use of 
an information system towFNg- comprising a plurality of nodes, where said plurality 
of nodes include at least one information appliance and at least one security 
console, said method comprising steps of: 

providing at least one data-carrying object containing security-related 
data; and 

inserting the data-carrying object into at le ast a selected one of a plurality 
of object receptacles that comprises a portion of at least one of the nodes, 
wherein the selected object receptacle is one of two or more of said 
receptacles that are connected to said security console, the data-carrying 
object being inserted into the selected receptacle that reads for r e ading 
out the security-related data ± for i nd i cati n g to the informat i on syst e m 
wherein a desired security configuration of said information system is 
based on the security-related data and the selected object receptacle . 

27. (Original) A method as in claim 26, wherein the data-carrying object 
stores the security-related data in a form that can be read-out by one of an 
electrical sensor, an optical sensor, or a magnetic sensor. 
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28. (Currently amended) A method as in claim 26, wherein the 
data-carrying object either remains inserted in the selected receptacle during the 
operation of the information system, or is temporarily inserted in or otherwise 
made readable by the selected receptacle either before or during the operation of 
the information system. 

29. (Currently amended) A method as in claim 26, wherein an- said 
information appliance has associated therewith at l o ast on o corr e sponding the 
security-related data of said data-carrying object for ins e rting into the rec e pt a cle , 
wherein th o r e c e ptac le has an output coupl e d to th e s e curity conso le i n an 
information syst e m where the information appliance is intended to be used for 
indicating that the information appliance is one of a trusted information appliance 
or an untrusted information appliance. 

30. (Currently amended) A method as in claim 26, wherein aft- said 
information appliance is given access to information system resources, including 
information, by inserting a n additional data-carrying object associated with the 
security console into at least one of the receptacle s that has , th e r e ceptac le 
having an output that is coupled to the information appliance. 

31. (Currently amended) A method as in claim 26, wherein each of the 
information appliance and the security console have associated therewith a t l e ast 
ene first and second corresponding data-carrying objects, respectively, wherein 
said selected receptacle comprises a first receptacle A has an output coupl e d to 
th o s e cur i ty conso le in an i nformat i on system wherein the information appliance 
is intended to be used for indicating, from security-related data contained on the 
first data-carrying object associated with the information appliance, that the 
information appliance is one that is authorized to fulfil and originate requests for 
information system resources, and wherein a second one of the receptacles has 
an output coupled to the information appliance for indicating, from 
security-related data contained on the second -data-carrying object associated 
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with the security console, that the security console is authorized to fulfil and 
originate requests for information appliance resources, including information. 


32. (Currently amended) A method as in claim 26, wherein the data 
carrying object comprises a first one of first and second data-carrying objects that 
are provided as a pair, wherein the selected receptacle comprises a first 
receptacle^ has an output coup le d to th o secur i ty consol e in an i nform a t i on 
syst e m wherein the information appliance is intended to be used for indicating, 
from security-related data contained on a said first on e of th e pair of data- 
carrying objects, that the information appliance is one that is authorized to fulfil 
and originate requests for information system resources, and wherein a second 
one of the receptacles has an output coupled to the information appliance for 
indicating, from security-related data contained on a said second one of th e pa i r 
of-data-carrying objects, that the security console is authorized to fulfil and 
originate requests for information appliance resources, including information. 

33. (Currently amended) A method as in claim 26, wherein said selected 
receptacle comprises a first ther e ar e a plurality of th e receptacles, and wherein 
an insertion of a the data-carrying object into a said first receptacle indicates 
different security-related information than inserting the data-carrying object into a 
second one of said two or more receptacles. 

34. (Currently amended) A method as in claim 26, wherein the 
data-carrying objects is one of ar e prov i d e d as a pair of data-carrying objects , 
and wherein the data-carrying objects in any given pair are the same shape, and 
no two data-carrying objects not in the same pair are the same shape. 

35. (Currently amended) A method as in claim 26, wherein the 
data-carrying object s ar e prov i d e d as is one of a pai r of data-carrying objects , 
and wherein the data-carrying objects in any given pair are imprinted with a same 
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visible identification information, and* no two data-carrying objects not in the same 
pair are imprinted with the same visible identification information, 

36. (Currently amended) A method as in claim 26, wherein the 
data-carrying object s ar e prov i d e d as is one of a pai r of data-carrying objects , 
and wherein the data-carrying objects in any given pair are fashioned so as to 
mechanically join together, and no two data-carrying objects not in the same pair 
will not or are unlikely to mechanically join together. 

37. (Currently amended) A method as in claim 26, wherein said 
data-carrying object s ar e obta i n e d i n is one of a groups of at least three data- 
carrying objects , and where access to a resource of the information appliance , 
including information, is obtained by providing one subset of data-carrying 
objects from a said group to a receptacle associated with a requestor of the 
resource, and a disjoint set of data-carrying objects from th e sam e said group is 
provided to the receptacles connected to the security console. 

38. (Currently amended) A method as in claim 37, wherein identifications 
of all individual data-carrying objects in the group can be ascertained by viewing 
the security console, even if some subset of the data-carrying objects are 
provided to a-the receptacle associated with a requestor of the resource. 

39. (Currently amended) A method as in claim 37, wherein a utilization of 
different disjoint subsets of the data-carrying objects in a- said group indicates 
different levels of trust to be granted to the requestor with respect to the 
resource. 

40. (Currently amended) A method as in claim 37, wherein a utilization of 
different disjoint subsets of the data-carrying objects in a- said group indicates 
different levels of authorization to be granted to the requestor with respect to the 
resource. 
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41. (Currently amended) A method as in claim 37, wherein data-carrying 
objects in a p a rt i cu l ar said group mechanically join together to form an 
assemblage, where the assemblage is adapted to be attached to a device 
through a single connection. 

42. (Currently amended) A method as in claim 2637, in which access to 
the resource is denied unless every data-carrying object of the group is inserted 
into a receptacle. 

43. (Currently amended) A method as in claim 26, wherein said 
information appliance is one of a group of information appliances, and further 
comprising a step of adding a newly-obtained information appliance to a- said 
group of author i z e d i nformation appl i anc e s, on behalf of a principal, by inserting 
a n additional data-carrying object representing the principal to a receptacle of the 
newly obtained information appliance. 

44. (Original) A method as in claim 43, wherein the data-carrying object 
representing the principal contains data which includes at least one secret known 
only to the principal. 

45. (Original) A method as in claim 44, wherein the secret known only to 
the principal comprises the private half of a public-private key pair associated 
with an asymmetric cryptosystem. 

46. (Currently amended) A method as in claim 26, wherein said 
information applicance is authorized on behalf of a certain principal, wherein said 
i n which a certain principal, and at le ast on e said information appliance 
author i z e d to a ct on b e ha l f of th e pr i nc i pa l , is granted a certain level of access to 
a certain resource of said information appliance by inserting, to a- one of said 
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receptacles associated with afhthe information appliance representing the 
resource, a n additional data-carrying object representing the principal. 

47. (Currently amended) A method as in claim 46, wherein data contained 
in the additional data-carrying object representing the principal comprises the 
public half of a public-private key pair associated with an asymmetric 
cryptosystem. 

48. (Currently amended) A method as in claim 47, in which the additional 
data-carrying object representing the principal comprises an image of the 
principal. 

49. (Currently amended) A method as in claim 47, in which the additional 
data-carrying object representing the principal comprises a computer-readable 
data portion and an image of the principal. 

50. (Original) A method as in claim 49, further comprising a step of 
providing a holder for holding the computer-readable data portion such that both 
the computer-readable data portion and the image are accessible. 

51. (Currently amended) A computer program embodied on a computer- 
readable medium for providing for the secure installation and use of an 
information system hawig -com prising a plurality of nodes, where said plurality of 
nodes include at least one information appliance and at least one security 
console, said computer program comprising code segments responsive to at 
least one data-carrying object containing security-related data that is inserted into 
at le ast a selected one of a plurality of object receptacles that comprises a 
portion of at least one of the nodes, for r e ad i ng wherein the selected object 
receptacle reads out the security related data- and is one of two or more of said 
object receptacles that are connected to said security console, and for 
d e t e rm i ning, for the informat i on syst em , wherein a desired security configuration 
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of said information system is based on said security-related data and said 
selected receptacle . 

52. (New) Apparatus for the secure installation and use of an information 
system comprising: 

a plurality of nodes, where said plurality of nodes includes at least one 
information appliance and at least one security console, 

at least first and second physical data-carrying objects each containing 
security-related data; and 

a first object receptacle and a second object receptacle that are connected 
to said security console, a third object receptacle connected to said 
information appliance, said first physical data-carrying object being 
inserted into a selected one of said first and second object receptacles 
that reads out the associated security-related data, said second physical 
data-carrying object being inserted into said third object receptacle that 
reads out associated security-related data, wherein a desired security 
configuration of said information system is based on said security-related 
data and said selected one of said first and second object receptacles, 
and wherein said security configuration gives access to a resource of one 
of said information system by said information appliance and said 
information appliance by said security console. 
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